03-05-2019 06:54 AM
I am currently working on a Rapid Threat Containment project involving Firepower and ISE to force an infected client to use a different authorization policy with limited access. We then want to redirect a quarantined user to an external web server that can inform the user about the situation. In order to get the redirection to work, we need to enable the http/https server on the switch and this has raised some security concerned. We could prevent management of the switch by using the commands "ip http active-session-modules none" and "ip http secure-active-session-modules none", but that will still leave the ports open and I am looking for an alternative solution to get redirection to work. I have heard about the "walled garden" concept with fake DNS responses and wondering if this could be an alternative? Does anyone have experience with using walled garden for web redirection or know of any other solutions to do redirection without enabling the web server on the switch?
Thanks
/Jörgen
Solved! Go to Solution.
05-14-2019 07:59 AM
03-13-2019 02:10 PM
Yes, you can use Auth VLAN feature but in general we recommend using switch's ability to redirect instead for Catalyst devices. Also note that AnyConnect 4.4+ can discover PSN without using URL-redirect so posture can be supported without it. However, you cannot redirect regular web traffic for non AnyConnect posture use cases.
05-14-2019 12:32 AM - edited 05-14-2019 12:33 AM
Thank you. Do you know any configuration examples for how to configure Auth VLAN web redirection?
Best regards
/Jorgen
05-14-2019 07:59 AM
05-15-2019 07:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide